COGNOS Security Not Working Properly

Having a time getting a security model to work properly and it is frustrating.

Folder structure is setup:

Public Folders/Reports/Production/East Region/Div 7/DivisionReport

User1 belongs to the Div7 group. Div7 belongs to no other group or role.

Div7 group is granted traverse permissions to East Region. On the Div 7 folder, Div7 group has been granted Read, Execute and Traverse permissions. User1 cannot execute DivisionReport for which Div7 is granted Read, Execute and Traverse permission.

DivisionReport does use drill throughs. The drill though report is located in:

Public Folders/Reports/Production/Reports/Target/Division TargetReport

Div7 group is granted with Traverse permissions all the way to the Reports folder and then Execute and Traverse permission on the Target folder. If User1 navigates to the Target folder, User1 can execute any of the reports in that folder which have Execute and Traverse permissions granted for Div7 group.

Popular White Paper On This Topic

Check your permissions for the Package used for the DivisionReport. Could they be different.
Are the reports themselves taking the permissions from the Parent folder, i.e. no override
Try giving Div7 group Read, Execute, Traverse permissions all the way down the folder hierarchies
Less Likely - but you might need to check your Capabilities for Report Studio users

This is what has been so frustrating. I granted the Div7 group permissions just as you suggested (I've tried every combination I can think of!) and it still will not work. I have a role that Div7 belongs to, ExpressUsers (we're using COGNOS express, which is pretty much 8.4.1) and there are combinations that work, but unfortunately are worthless because they also grant permission to the users in the group to access any report in any folder.

I must confess, I am not sure which capabilities the role must have to execute a report, but I believe it has it because granting it some permissions will cause the reports to execute.

there just does not seem to be any consistency to any of the working and non-working combinations. I have pored through COGNOS documentation to see what I'm missing, but nothing jumps out as something I've missed.

I would like a model example to go by, but have been unable to find anything like that to compare what I'm doing. The security model I want does not seem all that complex, but something is sure jamming the works.

Figured out what the problem was. The report objects were not reports, but report windows. The base reports did not have the proper permission.

This, however, introduces a new problem. With traverse permission granted, the users can simply navigate to the base report and execute it to bypass the parameter restrictions on their report windows, gaining access to data they should not have.

Is there a simple way to prevent that? The report is based on a TM1 cube and I could control it there.